Installation et configuration d’un serveur et d’un client OpenVPN avec PiVPN

Installation et configuration d’un serveur et d’un client OpenVPN avec PiVPN.

Raspberry Pi : Version 1
Distribution : Raspbian Jessie lite 2016-12-25

Liens :
PiVPN :
http://www.pivpn.io/
Raspberry Pi : Installation et configuration d’OpenVPN :
http://www.bexen.fr/2016/03/15/raspberry-pi-installation-et-configuration-dopenvpn/
Building A Raspberry Pi VPN Part One: How And Why To Build A Server : http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/

1/ Configuration de base du Raspberry Pi.

Voir mes autres didacticiels.

2/ Passer en mode ‘root‘ :

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# 

3/ Téléchargement du script d’installation :

root@raspberrypi:/home/pi# curl -L https://install.pivpn.io | bash

4/ Configuration :

PiVPN Automated Installer

This installer will transform your Raspberry Pi into an OpenVPN  server!  

< Ok >

Static IP Needed

The PiVPN is a SERVER so it needs a STATIC IP ADDRESS to function  properly.  
In the next section, you can choose to use your current network  settings (DHCP) or to manually edit them. 

< Ok >

Choose An Interface (press space to select)

(*) eth0  available

< Ok >

Static IP Address

Do you want to use your current network settings as a static address?                                                                
IP address:    192.168.1.23/24                      
Gateway:       192.168.1.1  

< Oui >

FYI: IP Conflict

It is possible your router could still try to assign this IP to a       
device, which would cause a conflict.  But in most cases the            
router is smart enough to not do that.                                  
If you are worried, either manually set the address, or modify the      
DHDo you want to enable unattended upgrades of security patches to        
this server? CP reservation pool so it does not include the IP you want.           
It is also possible to use a DHCP reservation, but if you are           
going to do that, you might as well set a static address. 

< Ok >

Local Users

Choose a local user that will hold your ovpn configurations.

< Ok >

Choose A User

Choose:

(*) pi

< Ok >

Unattended Upgrades

Since this server will have at least one port open to the               
internet, it is recommended you enable unattended-upgrades.             
This feature will check daily for security package updates only         
and apply them when necessary.                                          
It will NOT automatically reboot the server so to fully apply some      
updates you should periodically reboot.

< Ok >

Unattended Upgrades

Do you want to enable unattended upgrades of security patches to  this server? 

< Oui >

Protocol

Choose a protocol. Please only choose TCP if you know why you need  TCP.
 
(*) UDP 

< Ok >

Default OpenVPN Port

You can modify the default OpenVPN port.                                
Enter a new value or hit 'Enter' to retain the default     
 
1194

< Ok >

Confirm Custom Port Number

Are these settings correct?                                             
PORT:   1194   

< Oui >

Encryption Strength

Choose your desired level of encryption:                                
This is an encryption key that will be generated on your             
system.  The larger the key, the more time this will take.  For         
most applications it is recommended to use 2048 bit.  If you are        
testing or just want to get through it quicker you can use 1024.        
If you are paranoid about ... things... then grab a cup of joe and  pick 4096.       
 
(*) 1024  Use 1024-bit encryption. Test level.

< Ok >

Server Information

The server key, Diffie-Hellman key, and HMAC key will now be  generated. 

< Ok >

Public IP or DNS

Will clients use a Public IP or DNS Name to connect to your server? 

(*) 90.33.115.21  Use this public IP

< Ok >

Select the DNS Provider for your VPN Clients. To use your own, select Custom.

(*) Google 

< Ok >

Installation Complete!

Now run 'pivpn add' to create the ovpn profiles.                        
Run 'pivpn help' to see what else you can do!                           
The install log is in /etc/pivpn. 

< Ok >

Reboot

It is strongly recommended you reboot after installation.  Would  you like to reboot now?

< Oui >

Rebooting

The system will now reboot.

< Ok >

5/ Vérification :

root@raspberrypi:~# tail -f /var/log/openvpn.log 
Mon Jan 16 21:16:58 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/pki/ta.key' as a OpenVPN static key file
Mon Jan 16 21:16:58 2017 TUN/TAP device tun0 opened
Mon Jan 16 21:16:58 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jan 16 21:16:58 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 16 21:16:58 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Jan 16 21:16:58 2017 GID set to nogroup
Mon Jan 16 21:16:58 2017 UID set to nobody
Mon Jan 16 21:16:58 2017 UDPv4 link local (bound): [undef]
Mon Jan 16 21:16:58 2017 UDPv4 link remote: [undef]
Mon Jan 16 21:16:58 2017 Initialization Sequence Completed

6/ Ajouter un client OpenVPN.

– Création d’un client :

pi@raspberrypi:~ $ pivpn add
Enter a Name for the Client:  client01
Enter the password for the client:  
Enter the password again to verify: 
...
Write out database with 1 new entries
Data Base Updated
Client's cert found: client01.crt
Client's Private Key found: client01.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
========================================================
Done! client01.ovpn successfully created! 
client01.ovpn was copied to:
  /home/pi/ovpns
for easy transfer.
========================================================

– Vérification :

pi@raspberrypi:~ $ ls -l ovpns/client01.ovpn 
-rw-r--r-- 1 pi root 3626 janv. 16 21:20 ovpns/client01.ovpn

7/ Installation de OpenVPN Client :

A partir d’un ordinateur distant :

– Installation de OpenVPN :

[~] ➔ sudo apt-get install openvpn

– Connexion :

[~] ➔ sudo openvpn --config client01.ovpn 
[sudo] password for nekrofage: 
Mon Jan 16 22:20:49 2017 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Apr 13 2015
Enter Private Key Password: *********
Mon Jan 16 22:20:53 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 16 22:20:53 2017 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jan 16 22:20:53 2017 UDPv4 link local: [undef]
Mon Jan 16 22:20:53 2017 UDPv4 link remote: [AF_INET]90.33.115.21:1194
Mon Jan 16 22:20:55 2017 [server] Peer Connection Initiated with [AF_INET]90.33.115.21:1194
Mon Jan 16 22:20:58 2017 TUN/TAP device tun0 opened
Mon Jan 16 22:20:58 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jan 16 22:20:58 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 16 22:20:58 2017 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
RTNETLINK answers: File exists
Mon Jan 16 22:20:58 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Jan 16 22:20:58 2017 Initialization Sequence Completed
^CMon Jan 16 22:21:53 2017 event_wait : Interrupted system call (code=4)
Mon Jan 16 22:21:53 2017 /sbin/ip addr del dev tun0 10.8.0.2/24
Mon Jan 16 22:21:53 2017 SIGINT[hard,] received, process exiting

– Erreur :

Options error: Unrecognized option or missing parameter(s) in client01.ovpn:11: tls-version-min (2.3.2)

Solution

Ouvrir :

client01.ovpn

Chercher et supprimer :

tls-version-min 1.2

– Vérification :

[~] ➔ ifconfig
eth0      Link encap:Ethernet  HWaddr 14:58:d0:04:c6:76  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000 
          Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)

lo        Link encap:Boucle locale  
          inet adr:127.0.0.1  Masque:255.0.0.0
          adr inet6: ::1/128 Scope:Hôte
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          Packets reçus:291 erreurs:0 :0 overruns:0 frame:0
          TX packets:291 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0 
          Octets reçus:25244 (25.2 KB) Octets transmis:25244 (25.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.8.0.2  P-t-P:10.8.0.2  Masque:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:58 erreurs:0 :0 overruns:0 frame:0
          TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          Octets reçus:4480 (4.4 KB) Octets transmis:7224 (7.2 KB)

wlan0     Link encap:Ethernet  HWaddr 9c:ad:97:92:ed:43  
          inet adr:192.168.43.201  Bcast:192.168.43.255  Masque:255.255.255.0
          adr inet6: fe80::9ead:97ff:fe92:ed43/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:234 erreurs:0 :0 overruns:0 frame:0
          TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000 
          Octets reçus:32758 (32.7 KB) Octets transmis:46095 (46.0 KB)
[~] ➔ ping 192.168.1.26
PING 192.168.1.26 (192.168.1.26) 56(84) bytes of data.
64 bytes from 192.168.1.26: icmp_seq=1 ttl=63 time=176 ms
64 bytes from 192.168.1.26: icmp_seq=2 ttl=63 time=97.1 ms
64 bytes from 192.168.1.26: icmp_seq=3 ttl=63 time=236 ms
64 bytes from 192.168.1.26: icmp_seq=4 ttl=63 time=136 ms
^C
--- 192.168.1.26 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4006ms
rtt min/avg/max/mdev = 97.163/161.867/236.772/51.618 ms
[~] ➔ ping google.fr
PING google.fr (216.58.204.99) 56(84) bytes of data.
64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=1 ttl=52 time=1300 ms
64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=2 ttl=52 time=1783 ms
64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=4 ttl=52 time=473 ms
64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=5 ttl=52 time=619 ms
^C
--- google.fr ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4009ms
rtt min/avg/max/mdev = 473.314/1044.053/1783.473/528.811 ms, pipe 2
- Vérification du log sur le serveur : 
root@raspberrypi:~# tail -f /var/log/openvpn.log 
...
Mon Jan 16 22:20:56 2017 37.163.78.32:63337 [client01] Peer Connection Initiated with [AF_INET]37.163.78.32:63337
Mon Jan 16 22:20:56 2017 client01/37.163.78.32:63337 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Jan 16 22:20:58 2017 client01/37.163.78.32:63337 send_push_reply(): safe_cap=940